The revelations about the National Security Agency’s (NSA) broad monitoring of traffic and access to the data of cloud providers spurred by the actions of former NSA contractor Edward Snowden may or may not have hurt national security, depending on who you ask. But according to a recent survey by the industry organization Cloud Security Alliance (CSA), the exposure of NSA’s PRISM program is having a very real impact on the bottom line of US cloud service providers in the form of lost overseas customers.

Concerns about NSA surveillance are hardly new. The PATRIOT Act’s “Enhanced Surveillance” provisions have raised privacy concerns about using US service providers since it was passed. The allowance for warrantless access to traffic to and from “protected computers,” the overly broad definition of what exactly a protected computer is, and provisions for access to business records and metadata about customers left many concerned that the FBI and NSA could gain access to their corporate data just by asking cloud providers nicely for it. Revelations about the NSA’s collection of phone call metadata from telecom companies in 2006 offered more evidence for those concerns.

Two years ago, I was interviewing the CIO of a major Canadian healthcare organization for a story on cloud computing, and asked if he had considered using US cloud providers or software-as-a-service. He said that he couldn’t even begin to consider those because of concerns because of Canadian patient privacy laws—not just because of differences between US and Canadian laws, but because of the assumption that NSA would gain access to patient records as they crossed the border.

At the time, the concern might have sounded a bit paranoid. But now that those concerns have been validated by the details revealed by Snowden, US cloud providers are losing existing customers from outside the US, according to the CSA study. The survey of members of the organization found that 10 percent of non-US member companies had cancelled contracts with US providers as a result of revelations about PRISM.

The PRISM revelations are also making it harder for US companies to get new business abroad. Of the non-US respondents to the survey, 56 percent are now less likely to consider doing business with a US service provider. And 36 percent of respondents from US companies said that the Snowden “incident” was making it harder for them to do business overseas.

Concerns about government access to cloud data weren’t limited to the US alone. Information about the NSA's collaboration with foreign intelligence organizations to provide data on their citizens has also spooked cloud customers about their own countries' surveillance programs. Of all those surveyed, 47 percent rated the process by which their governments obtained user information for terrorist and criminal investigations as poor, with little or no transparency.

The survey suggests that giving cloud providers the ability to provide transparency to customers over government access to data could undo some of the damage done by the PRISM revelations. Ninety-one percent of respondents said that companies should be allowed to publish information about their responses to subpoenas and FISA warrants.

Promoted Comments

The Canadian CIO clearly was misinformed. The NSA would not capture the records when they crossed the border. The US government has privately approached every US based cloud provider and made it clear they interpreted the Patriot Act as applying to any IT system their company touches, even if those systems are hosted entirely offshore / outside US borders. It was also made clear the Patriot Act applied even when the seizure of such records is illegal in the jurisdiction in which the data physically resides. It is clear some kind of pressure was brought to bear, threats of repercussions, if the companies failed to comply with the US Governments requests; otherwise why would corporations comply with requests that are a) not in their business interest and b) counter to local country governance compliance. It comes down to who has a bigger stick (even though they may be speaking very softly indeed)

I work for a major Canadian health care technology provider. I wouldn't be surprised if it was the one mentioned in the article. We are setting up a Canadian cloud for an application that is already deployed and used by millions in the US, but could not be used by Canadians because of privacy laws. I'm not sure this decision by Canadian lawmakers has anything to do with the NSA. I think it's just the same concern everyone has regarding health care data privacy. We're not loathe to host in the US per se, we're loathe to host anywhere we can't prosecute breaches of privacy easily.Or maybe I'm completely wrong and I owe my job to NSA's overreach. In that case, thanks!

Share this story

Sean Gallagher
Sean is Ars Technica's IT and National Security Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland. Emailsean.gallagher@arstechnica.com//Twitter@thepacketrat